Mar 18, 2024, 08:30 PM
This is just something neat I learned that I wanted to share for solving the Litter Sherlock challenge
The first way after looking at the information in WireShark and has been my go to for years. I parsing the data with tcpdump. Shown below.
tcpdump -qns 0 -A -r ./suspicious_traffic.pcap udp and src 192.168.157.145 and dst 192.168.157.144 | grep -v ' UDP, length' | cut -b 42- | cut -b -18 | xxd -r
Another way and something I did not know is that wireshark has it's own command line tool that makes parsing pcap files even easier.
tshark -r suspicious_traffic.pcap -Y 'ip.src == 192.168.157.144 && ip.dst == 192.168.157.145' | cut -d ' ' -f 12 | sed 's/.microsofto365.com//' | cut -b 19- | xxd -r -p | tr -cd '\12\40-\176'
I know this is a really short writeup but I thought it was much easier to use tshark for this lab. Basically if you run either of these commands you will be able to find all the answers you are looking for.to solve this challenge.
The first way after looking at the information in WireShark and has been my go to for years. I parsing the data with tcpdump. Shown below.
tcpdump -qns 0 -A -r ./suspicious_traffic.pcap udp and src 192.168.157.145 and dst 192.168.157.144 | grep -v ' UDP, length' | cut -b 42- | cut -b -18 | xxd -r
Another way and something I did not know is that wireshark has it's own command line tool that makes parsing pcap files even easier.
tshark -r suspicious_traffic.pcap -Y 'ip.src == 192.168.157.144 && ip.dst == 192.168.157.145' | cut -d ' ' -f 12 | sed 's/.microsofto365.com//' | cut -b 19- | xxd -r -p | tr -cd '\12\40-\176'
I know this is a really short writeup but I thought it was much easier to use tshark for this lab. Basically if you run either of these commands you will be able to find all the answers you are looking for.to solve this challenge.